CVE-2026-34531
MEDIUM
GHSA-p44q-vqpr-4xmg
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
3Description
## Summary In a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the `token` argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users. ## Notes - This issue applies only to token authentication - This issue applies only when the application verifies tokens by searching for them in a user database. - This issue applies only if the application stores empty strings as user tokens when the user does not have an assigned token. It does not apply if the application sets those tokens to `NULL` instead. - Tokens that are verified through cryptographic means (such as JWTs) are not affected by this issue. - Basic and Digest authentication are not affected by this issue. ## Remediation To protect against this issue, developers should make sure that no user in the user database has their `token` set to an empty string. If there are such users, change the value of those tokens to `NULL` instead. Alternatively, developers can upgrade their projects to `Flask-HTTPAuth>=4.8.1`, which fixes this issue.
Analysis
Flask-HTTPAuth versions prior to 4.8.1 allow authentication bypass when applications store empty string tokens in their user database, enabling unauthenticated attackers to authenticate as any user with an empty token set by submitting requests without a token or with an empty token value. This affects only token-based authentication mechanisms that verify tokens via database lookup rather than cryptographic means (e.g., JWTs). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today